First of all, there are many ways a system can become vulnerable, we will not look at the malicious or badly configured machines.
We will look at a way to make a vulnerability over time without meaning to.
I was installing some software the other day... and noticed that while it installed itself it also created a service which allows a browser to open it like this: http://localhost:33308/ which means it created a "port" or service at 33308. localhost is your own computer.
But imagine a year or 2 from now and you did not update this software, as changes were made to it. what if a security vulnerability was found and the "old" version at 3.4.0 is vulnerable and can be circumvented with the new Metasploit version - which exploits old vulnerabilities?
Now presto you thought you were safe, but have not considered the software you downloaded a long time ago is not secure anymore. Hackers will find a way in, that is what they do. Your IT department does not know this software is running, or if they do, they may not have handled it either - especially if it is non-standard. How do you know?
Well, the only way to know - is to audit or review your systems... What ports are open? what are they supposed to be doing? Is email supposed to be running on the local system? that is a red flag.